Introduction and Scope Risk Monitoring Process

Number: 8000.0 Revised: August 15, 2010

All campus employees are responsible for reporting any information security risk or non-compliance issues that comes to their attention to the Information Security Office. In cases where an employee is not directly responsible for the system or process involved they should also alert the responsible manager.

When a risk or non-compliance is identified and there is insufficient or conflicting information regarding its likelihood of occurrence or potential impact, the Information Security Office will initiate and complete a Risk Monitoring plan. The steps used to develop such a plan are:

Step 1: Risk Identification – Employee or manager who identified the risk or non-compliance calls the Information Security Office at 278-1999 to discuss the potential risk and agree on the need for either risk monitoring or immediate mitigation. If immediate risk mitigation is required, proceed to the Risk Monitoring section of this process; otherwise go to Step 2 below.

Step 2: Define Risk Monitoring Activities – The Information Security Office defines the risk or non-compliance and documents a plan with activities, resources and timeline. The plan will be submitted to the Vice President and Chief Information Officer in a timely manner. (Download Template)

Step 4: Submit Finding and Notify or Request as Appropriate – Information Security Office submits results to the Vice President and Chief Information Officer the findings of the investigation and risk monitoring. The findings will be summarized in one of the following four categories:

Notification of compliance

Notification of risk transference plan

Request for risk mitigation

Request for risk acceptance

If it is determined that the process or issue is in compliance with campus risk processes, or it is found the risk was misidentified, the process is complete and compliance will be indicated in the final report.

If the risk does exist, the monitoring report from the Information Security Office will identify either a risk transference plan, a risk mitigation request, or a risk acceptance request. Risk transference must be approved in writing by the Information Security Officer.